Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to search for sources IPs with the highest number of distinct/unique HTTP methods?

anton_chuvakin
New Member
‎05-31-2011 05:11 PM

It seems simple but somehow the answer escapes me. I have Apache http access logs and I want to look for source IPs that produced the highest number of HTTP response codes, methods, etc.

E.g. 10.10.10.10 only used GET, while 11.11.11.11 used GET, POST, PUT, etc on my webserver. You can see where I am going with this.

So, what kinda query would do it?

0 Karma
Reply

anton_chuvakin
New Member
‎06-01-2011 04:06 PM

In the end, I ended us using these:

sourcetype="access_combined_wcookie" OR sourcetype="access_combined" | stats count by clientip, method | stats count by clientip | sort -count

and this

sourcetype="access_combined_wcookie" OR sourcetype="access_combined" | stats count by clientip, status | stats count by clientip | sort -count

with GREAT results that led me to some fun web mayhem that was happening.

Thanks a lot to all involved 🙂

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎05-31-2011 07:44 PM

In addition to what lguinn posted, this 

sourcetype="access_combined" | stats distinct_count(method) as dcm by clientip | sort -dcm

is fairly explicit.

Reply

anton_chuvakin
New Member
‎06-01-2011 03:56 PM

Thanks a lot for this!!

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎06-01-2011 10:32 AM

Well, probably not more efficient, but more clearly corresponding to what you're asking for.

0 Karma
Reply

lguinn2
Legend
‎06-01-2011 10:16 AM

Ah, that's a more efficient solution.

0 Karma
Reply

lguinn2
Legend
‎05-31-2011 05:35 PM

Here are two examples of what you asked for --

Most number of methods used, not counting duplicates

sourcetype="access_combined" | dedup clientip, method  | top clientip

Most number of unique pages visited

sourcetype="access_combined" | dedup clientip, uri  | top clientip

But here are variations that might be more useful --

sourcetype="access_combined" | stats count by clientip, method | sort -count

sourcetype="access_combined" | stats count by clientip, uri | sort -count

Finally, take it to the next level by clicking the "Build Report" button and making a graph or chart of the results!

Reply

anton_chuvakin
New Member
‎06-01-2011 03:56 PM

Thanks a lot for this as well!!

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎05-31-2011 07:45 PM

To really figure out what he asked, the last couple should actually look like: sourcetype="access_combined" | stats count by clientip, method | stats count by clientip | sort -count

0 Karma
Reply

anton_chuvakin
New Member
‎05-31-2011 05:13 PM

This (http://splunk-base.splunk.com/answers/6015/display-field-uniques-in-search) seems related but isn't quite the same since I need to rank by uniqueness...

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...